Wireguard masquerade won't work

I’ve configured WireGuard server on my fresh Rocky Linux 9, I am able to connect to it and ping from both ends (client/server) each other but it looks like the masquerade doesn’t work.

In my /etc/sysctl.conf I have:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

I did run it:

# sysctl -p
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

I’ve configured firewalld:

firewall-cmd --zone=public --add-port=8443/udp --permanent
firewall-cmd --zone=internal --add-interface=wg0 --permanent
firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 masquerade' --permanent
firewall-cmd --zone=public --add-rich-rule='rule family=ipv6 source address=fd21:fe12:bf9b::/64 masquerade' --permanent
firewall-cmd --reload

# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens18
  sources: 
  services: cockpit dhcpv6-client
  ports: 2222/tcp 8443/udp
  protocols: 
  forward: yes
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="1.2.3.4" port port="2222" protocol="tcp" accept
        rule family="ipv4" source address="10.0.0.0/24" masquerade
        rule family="ipv4" source address="2.3.4.5" port port="2222" protocol="tcp" accept
        rule family="ipv6" source address="fd21:fe12:bf9b::/64" masquerade
        rule family="ipv4" source address="3.4.5.6" port port="2222" protocol="tcp" accept
        rule family="ipv4" source address="4.5.6.7" port port="2222" protocol="tcp" accept
        rule family="ipv4" source address="8.9.10.11" port port="2222" protocol="tcp" accept

# firewall-cmd --zone=internal --list-interfaces
wg0

What else should be set to allow outgoing traffic to peers?